1---
2title: npm-publish
3section: 1
4description: Publish a package
5---
6
7### Synopsis
8
9```bash
10npm publish <package-spec>
11```
12
13### Description
14
15Publishes a package to the registry so that it can be installed by name.
16
17By default npm will publish to the public registry. This can be
18overridden by specifying a different default registry or using a
19[`scope`](/using-npm/scope) in the name, combined with a
20scope-configured registry (see
21[`package.json`](/configuring-npm/package-json)).
22
23
24A `package` is interpreted the same way as other commands (like
25`npm install`) and can be:
26
27* a) a folder containing a program described by a
28  [`package.json`](/configuring-npm/package-json) file
29* b) a gzipped tarball containing (a)
30* c) a url that resolves to (b)
31* d) a `<name>@<version>` that is published on the registry (see
32  [`registry`](/using-npm/registry)) with (c)
33* e) a `<name>@<tag>` (see [`npm dist-tag`](/commands/npm-dist-tag)) that
34  points to (d)
35* f) a `<name>` that has a "latest" tag satisfying (e)
36* g) a `<git remote url>` that resolves to (a)
37
38The publish will fail if the package name and version combination already
39exists in the specified registry.
40
41Once a package is published with a given name and version, that specific
42name and version combination can never be used again, even if it is removed
43with [`npm unpublish`](/commands/npm-unpublish).
44
45As of `npm@5`, both a sha1sum and an integrity field with a sha512sum of the
46tarball will be submitted to the registry during publication. Subsequent
47installs will use the strongest supported algorithm to verify downloads.
48
49Similar to `--dry-run` see [`npm pack`](/commands/npm-pack), which figures
50out the files to be included and packs them into a tarball to be uploaded
51to the registry.
52
53### Files included in package
54
55To see what will be included in your package, run `npm pack --dry-run`.  All
56files are included by default, with the following exceptions:
57
58- Certain files that are relevant to package installation and distribution
59  are always included.  For example, `package.json`, `README.md`,
60  `LICENSE`, and so on.
61
62- If there is a "files" list in
63  [`package.json`](/configuring-npm/package-json), then only the files
64  specified will be included.  (If directories are specified, then they
65  will be walked recursively and their contents included, subject to the
66  same ignore rules.)
67
68- If there is a `.gitignore` or `.npmignore` file, then ignored files in
69  that and all child directories will be excluded from the package.  If
70  _both_ files exist, then the `.gitignore` is ignored, and only the
71  `.npmignore` is used.
72
73  `.npmignore` files follow the [same pattern
74  rules](https://git-scm.com/book/en/v2/Git-Basics-Recording-Changes-to-the-Repository#_ignoring)
75  as `.gitignore` files
76
77- If the file matches certain patterns, then it will _never_ be included,
78  unless explicitly added to the `"files"` list in `package.json`, or
79  un-ignored with a `!` rule in a `.npmignore` or `.gitignore` file.
80
81- Symbolic links are never included in npm packages.
82
83
84See [`developers`](/using-npm/developers) for full details on what's
85included in the published package, as well as details on how the package is
86built.
87
88### Configuration
89
90#### `tag`
91
92* Default: "latest"
93* Type: String
94
95If you ask npm to install a package and don't tell it a specific version,
96then it will install the specified tag.
97
98Also the tag that is added to the package@version specified by the `npm tag`
99command, if no explicit tag is given.
100
101When used by the `npm diff` command, this is the tag used to fetch the
102tarball that will be compared with the local files by default.
103
104
105
106#### `access`
107
108* Default: 'public' for new packages, existing packages it will not change the
109  current level
110* Type: null, "restricted", or "public"
111
112If you do not want your scoped package to be publicly viewable (and
113installable) set `--access=restricted`.
114
115Unscoped packages can not be set to `restricted`.
116
117Note: This defaults to not changing the current access level for existing
118packages. Specifying a value of `restricted` or `public` during publish will
119change the access for an existing package the same way that `npm access set
120status` would.
121
122
123
124#### `dry-run`
125
126* Default: false
127* Type: Boolean
128
129Indicates that you don't want npm to make any changes and that it should
130only report what it would have done. This can be passed into any of the
131commands that modify your local installation, eg, `install`, `update`,
132`dedupe`, `uninstall`, as well as `pack` and `publish`.
133
134Note: This is NOT honored by other network related commands, eg `dist-tags`,
135`owner`, etc.
136
137
138
139#### `otp`
140
141* Default: null
142* Type: null or String
143
144This is a one-time password from a two-factor authenticator. It's needed
145when publishing or changing package permissions with `npm access`.
146
147If not set, and a registry response fails with a challenge for a one-time
148password, npm will prompt on the command line for one.
149
150
151
152#### `workspace`
153
154* Default:
155* Type: String (can be set multiple times)
156
157Enable running a command in the context of the configured workspaces of the
158current project while filtering by running only the workspaces defined by
159this configuration option.
160
161Valid values for the `workspace` config are either:
162
163* Workspace names
164* Path to a workspace directory
165* Path to a parent workspace directory (will result in selecting all
166  workspaces within that folder)
167
168When set for the `npm init` command, this may be set to the folder of a
169workspace which does not yet exist, to create the folder and set it up as a
170brand new workspace within the project.
171
172This value is not exported to the environment for child processes.
173
174#### `workspaces`
175
176* Default: null
177* Type: null or Boolean
178
179Set to true to run the command in the context of **all** configured
180workspaces.
181
182Explicitly setting this to false will cause commands like `install` to
183ignore workspaces altogether. When not set explicitly:
184
185- Commands that operate on the `node_modules` tree (install, update, etc.)
186will link workspaces into the `node_modules` folder. - Commands that do
187other things (test, exec, publish, etc.) will operate on the root project,
188_unless_ one or more workspaces are specified in the `workspace` config.
189
190This value is not exported to the environment for child processes.
191
192#### `include-workspace-root`
193
194* Default: false
195* Type: Boolean
196
197Include the workspace root when workspaces are enabled for a command.
198
199When false, specifying individual workspaces via the `workspace` config, or
200all workspaces via the `workspaces` flag, will cause npm to operate only on
201the specified workspaces, and not on the root project.
202
203This value is not exported to the environment for child processes.
204
205#### `provenance`
206
207* Default: false
208* Type: Boolean
209
210When publishing from a supported cloud CI/CD system, the package will be
211publicly linked to where it was built and published from.
212
213This config can not be used with: `provenance-file`
214
215#### `provenance-file`
216
217* Default: null
218* Type: Path
219
220When publishing, the provenance bundle at the given path will be used.
221
222This config can not be used with: `provenance`
223
224### See Also
225
226* [package spec](/using-npm/package-spec)
227* [npm-packlist package](http://npm.im/npm-packlist)
228* [npm registry](/using-npm/registry)
229* [npm scope](/using-npm/scope)
230* [npm adduser](/commands/npm-adduser)
231* [npm owner](/commands/npm-owner)
232* [npm deprecate](/commands/npm-deprecate)
233* [npm dist-tag](/commands/npm-dist-tag)
234* [npm pack](/commands/npm-pack)
235* [npm profile](/commands/npm-profile)
236